Responder Field Edition & Pro Memory Forensics A How To Guide For Responder Field Edition & Pro Prepare For Investigation Search & Analyze Report Findings

Preparation Forensic Analysis Where To Start Begin by creating a list of search terms that are relevant to your investigation. Prioritize the terms based on importance. Create a list of things you know that are involved in the investigation: Names of people Office applications Domain names Encryption chat Project names Email addresses Filenames Phone numbers Websites Credit card numbers This text file can be used to automate locating items in memory:

Approach For Investigating A Particular Application Forensic Analysis Preparation (cont.) Considerations Try to find objects and artifacts that can tell you: Who has logged into the computer? When did things happen? What processes are running? What applications are installed? What file types of files are found? What are the capabilities of the installed programs? Approach For Investigating A Particular Application Conduct background research: e.g., Skype: Google: “Skype” What is it? How is it used? Why is the suspect using it? Is there volatile data in memory that might not be available by performing disk based forensics? Are there recoverable passwords?

Begin Investigation Forensic Analysis Case Creation A case must be created for each memory image you need to investigate. Begin by creating a new case as demonstrated below. Import a previously acquired memory image. Memory images may be analyzed that were acquired with third party tools as well as HBGary’s Fast Dump Pro (FDPro) tool. It is recommended to import the system swap file whenever possible. This can only be done when an acquisition has been completed using FDPro with the appropriate options.

Investigating Webmail Forensic Analysis Investigating Webmail Web Browser Artifacts Begin by searching the internet history contained in the memory image. Look for URLs that are associated with webmail services such as yahoo, gmail, hushmail, or less common services. The graphic below demonstrates the manual browsing of URLs. The following items should be noted: -Web sites visited -Files downloaded -Memory offsets Identify network connections and externally routable IP addresses. Note the process associated with the connection. Externally attainable intelligence can be gathered on the IP address such as domain name resolution and registration information.

Investigating Webmail (cont.) Forensic Analysis Investigating Webmail (cont.) Searching Memory The entire memory image can be searched for ASCII and Unicode formatted strings. This can be done by double-clicking the memory image icon as demonstrated below. Then use the binoculars icon to perform the search. WebMail Search Terms Search the memory image for strings commonly associated with email activity. Example search strings: @gmail.com @hotmail.com @yahoo.com @hushmail.com Attachment &passwd= &login=

Skype Memory Artifacts Forensic Analysis Investigating Skype Skype Memory Artifacts Verify Skype is running via the “Process” list: Inspect the “Open Files” list Sort by name Locate Skype Identify the Windows username and the Skype username: C:\Documents and Settings\username\Application Data\Skype\skype username.

Locate Unencrypted Chat Forensic Analysis Investigating Skype (cont.) Locate Unencrypted Chat Skype uses the # and $ sign to denote chat conversations. Search for the Skype username with a # and or $ sign preceding the name. Make sure to search for ASCII and Unicode strings. Make sure to search for ASCII and Unicode text strings: Example chat snippet:

Plugin Support Forensic Analysis Background Responder FE supports plugins which extend the product’s capabilities. The plugins are written by HBGary engineers and customers are free to download and use them. First download the plugin of interest to a location accessible by Responder. Then select “Plugin” from the main menu and then “Compile and Load…” After the plugin has been compiled and loaded it will accessible via the “Toolbox” menu. Select the plugin by cliking on the link. Different plugins will have next steps in order to complete the analysis.

Plugin Support Forensic Analysis Background Responder FE supports plugins which extend the product’s capabilities. The plugins are written by HBGary engineers and customers are free to download and use them. First download the plugin of interest to a location accessible by Responder. Then select “Plugin” from the main menu and then “Compile and Load…” After the plugin has been compiled and loaded it will accessible via the “Toolbox” menu. Select the plugin by cliking on the link. Different plugins will have next steps in order to complete the analysis.

Plugin Support (Cont.) Forensic Analysis Image Extraction The ImageExtractorPlugin.dll will attempt to carve image fragments out of a memory snapshot. Depending on the size of the memory image this can a significant amount of time. Once completed the image fragments will be placed in a folder which Responder will identify to the analyst. Document Extraction

Report Generation Forensic Analysis Reporting Steps Evidentiary data should be added to the report throughout the investigation. This can be done by right-clicking on items and selecting “Send to report”. Items can also be added to the report by creating bookmarks throughout the memory image. This is done by right-clicking at the location of interest within the memory view as shown below.

Report Generation (Cont.) Forensic Analysis Report Generation (Cont.) Bookmarks can be edited within the “Report” tab. This can be done by right-clicking on the report item and selecting “Edit Bookmark.” Final Report The final report can be generated after all relevant items have been added to the report. This is done by selecting the “Toolbox” on the left side of the GUI and selecting “RTF Report.”